Boxc.club Investigation 



Investigation Purpose: To gather information about "boxc.club" and 

it's shady affiliated "sponsors" 
Investigation date: January 8^^, 2015 
Investigation Status: Complete 

Website: boxc.club 
Owner: Makan Dey (or "Chris") 
IP addresses affiliated with boxc.club: 
23.245.7.104 | ENZU | Los Angeles, California 
194.68.223.240 | Phoenix Nap, LLC | Sweden 

Sponsors: 

"Ronsor, Inc" - usemame: anonman/ronsor 
Website: ronsor.cu.cc 
Affiliated domains: youwikiz.com 
Domains registered to: Boxc Company 
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Who is Rosnor? Rosnor claims to be an incoperated company. Let's try to 
validate that... 



Corporations Canada 




Search Results 




Consult Search Tfps if vou want to refine vour search. 


Start New Search 


Searched for: Corporate Name: Rosnor 
0 results were found, 0 returned, 


1 1 



So, not a valid coperation in Canada, let's try the USA_ 




EDGAR Search Results 

SEC Home » Search the Next-Generation EDGAR System » Company Search » Current Page 
No matching companies. 

http:/A/vww.sec.gov/tgi-bin/hrowse-e(lgar 

Home I Search the Next- Generation EDGAR SysteTi | Previous Page 

Not shocking that they're not a valid coperation, so I can already start to 
determine it's a kid running it with no real experience doing it. Let's dig 
deeper... 

So, when we load rosnor.cu.cc, we are presented with an IRC page. The IRC 
page shows "irc.youwikiz.com" which, of course, is registered to "BOXC 
Company" - which supplies invalid whois information... 
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# Rm- Registrar Data January 08, ,2015 



Domain Naine : Y0UWIKIZ.COM 

Registry DGmain ID: 

1S79S5S29 6_D0MAIN_C0M-TOSN 

Registrar WHOIS Server: 

wliois . domain . com 

Re gi s t r ar URL : ww^/j , domai n . com 

Updated Date: 2014-11-07T00 : 13 : 04Z 

Creation Date: 2014-10-10T21 : 14 : 04Z 

Registrar Registration Expiration Date: 

2015-10-10T21 : 14 : 04Z 

Re gi s t r a r : Domai n . com^ LLC 

Registrar IAlTA ID: 536 

Registrar Abuse Contact Email: 

conpliance'S domain- inc . net 

Registrar Abuse Contact Fhone : 

+1. 6027165396 

Re s e 1 1 e r : Domai n . com. 

Reseller: support 9 domai n- i nc . ne t 

Reseller: +1 . S00403356S 

Domain Status: 

Registry Registrant ID: 

Registrant Namie : BOXC Coirpany 

Registrant Organization: BOXC Coitpany 

Registrant Street: BOXC Street 

Registrant City: Toronto 

Registrant Statey-'Province : ON 

Registrant Postal Code: M2L2J4 

Re gi s t r ant Co unt r y : CA 

Registrant Phone: +1 . 6474 31S7 62 

BOXC Company - does not exist 
BOXC Street - does not exist 
Phone number - VOIP in Canada 
Address - does not exist 

So, just based off that we can tell it's UN-experienced shady people, but let's 
continue... 

I can see this "company" has never heard of backdoors/rootkits... 
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•nonman/ronsor • ^ ^ 

Sponsor B Threads: 0 

A JoinE'd: Jsn ZQ15 

***** 



B$:5.75$ 



Yesterday, 12:42 AM, (TTiits past was last modrf ed: VestBrdav. 12:4€ AM b'>r anonman/rorsar.) 


m 










JVIsikan Wrote: You are not allowed to view links. Register or Login to view. 


(01-O6^ZQ15, lOtSl PM) 






Hmmm. This person has hacked the whole server, Don't worry, Ronsor Jnc is working on fixing this in no time. 




You bet 1 am, 1 hate getting hacked! the system has no damage mostly, 
Fixed now (edit) 





CEO of Ronsor Inc, providing Ron5or.cu,cc VPS for this forum, 
-> PM me if the vps is down 

-> You are not allowed to view links. Register or Login to view. 




It reads, "You bet I am, I hate getting hacked! the system has no damage 
mostly. 

Fixed now (edit)" Well then, so instead of actually fixing it, you still let 
hackers have the ability to control it via backdoors/rootkits? Okay... 

Moving on, let's check out what's running the backend of BOXC - it shows 
up as a few different pieces of software. 

KLOXO-MR 6.5.0 (vulnerable to CSRF, btw) 

Sentora (looks like a zPanelCP copy - it's also vulnerable) 

IP Resolving & ISP Details: 
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23.245.7.104 I Lookup IP Address 



General IP Information 

IP: 23.245.7.104 
Decimal: 401934184 
Hostnanne: 23.245.7.104 
ISP: Enzu 
Organization: Enzu 

Services: None detected 
Type: Corporate 
Assignment: Static IP 

BlaclKlist: Blacl<list Check I 



194.68.223.240 



Lookup IP Address 



General IP Information 

IP: 194.68.223.240 
Decimal: 3259293680 
Hostname: 194.68.223.240 
ISP: Resfians AB 
Organization: Phoenix Nap, LLC. 
Services: None detected 
Type: 
Assignment: Statfc IP 

Blacl<list: Blacl<list Checltl 



Geolocation Information 



Country: Sweden ■ 
Latitude: 59.3294 (59" 19^5.84" N) 
Longitude: 18.0686 (18" 4' 6.96" E) 
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Now, to come up with these IP addresses, I noticed the boxc.club domain was 
hidden behind cloudflare, so a simple fix for that is just using a cloudflare 
resolver as shown below. 



Domain: boxcdub 



DNS 


IP 


mail, boxcdub 


194.&R.iZ3.M0 


direct, boxcdub 


No DNS record 


direct-connect-boxc^ciub No DNS record 


cpBnel. boxcdub 


No DNS record 


ftp.boxc.cluib 


Z3.M5.7.104 


Bdmin.boxc.dub 


No DNS record 


pop. boxed Lib 


No DNS record 


imap.boxcclLib 


No DNS record 


webmaiLboxcdub 


194.6*.223.M0 


forum, boxcdub 


No DNS record 


admin.boxc.du-b 


No DNS record 


beta, boxcdub 


No DNS record 


portal, boxcdub 


No DNS record 



So, It's safe to say the "sponsor" and makan appear to be one in the same, or 
related closely. Same text-writing styles, everything. Let's see what we can 
dig up on the IRC... 
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Channel Name Users ^ 



#ronsor 


10 


#[oE)E>y 


2 


#asterirc 


2 


##HelenaKitty 




##elenaKitty 




&debug.ircd.youwikiz.conn 




&d e bu g . ircd y 0 u wo kiz. CO m 




#t 




#relayhub 




#a Unite cafe 





AsterlRC, that's interesting, right? 
Debug... that's interesting right...? 



Welcome to #AsterlRC @ 
is dead 


irc.uinbrellix.tk. where the best chats hurt less! :-) | The Jan Show: http://www.unnbrellixIM'tjs-20141 1 12.ogg | AsterlRC 


AsterlRC MOTD 


A 




D irc.umbrellix.tk 












Eg 


Apache2 Debian Default Page 



Okay, so it's Apache 2 on Debian, good to know. 
IRC CTCP commands: 
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[Ronsor] [CTCP] VERSION EveryWhereChat Rambler 2. 1 . 751 [Linux 3. 0. 0-12-generic] 
[AnonGirl] [CTCP] VERSION ZNC 1 . 5-git-257-0908023 - http://znc.in 
IRonsor] [CTCP] VERSION EveryWiiereChat Rambler 2. 1 .751 [Linux 3.0. 0-12-generic] 

[CTCP] TIME Thu Jan 8 12:12:522015 

[CTCP] PING 

So, the email on domain is boxcads@gmail . com 
A quick search turns up as... 
"Makan Dey" 
Which leads to... 

https://twitter.com/boxc_company 
http :// about.me/makan. d 

Now, what other domains are affiliated with that email? 
offlcialgearclan.com 

Well visiting that leads to "zTech" - a "hosting" business, interesting. 
Following a link on the page, it goes to http://airbrowse.xl Ohost.com/ which 
Makan's website claims to own, visiting it shows "AirBrowse Technologies" 

On that site it leads to a ton of rather strange "products" that you can 
download. Upon downloading "abinstall.exe" for "AirBrowse" my anti-virus 
and browser instantly marked it as a virus. Interesting... Let's virustotal it. 
VT URL: 

https://www.virustotal.com/en/file/2c303737dac54578b5ca24edb6fdlb9710c 
b70ee2aae537aff4c6d5a6ea2fl52/analvsis/1420738176/ - 1 detection 

Now, searching the listed email airbrowse 1 0@gmail.com we find: 
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airbrowsel 0@gmail.com 



Web News Shopping Videos Images Mone^ Searcli tools 



9 results (0.29 seconds) 

Chris I TechViewForum 

techviewhd.freeforunns.net > Mennbers 

Latest Status: Released tlie critical patch for AirBrowse : 5.2. Email: airbrowselO 
@gmail.com. Posts: 111. Date Registered: May .22, 2014 at 5:0Bpm ... 

Contact - AirBrowse 

a i r b ro wse .we e b ly . co m/ co nta ct. htnn I ^ 

Contact us for any feedback/concerns. Visit our main site for more info : 
airbrowsetechnologies.weebly.com. Email : airbTowse10@gmail.com. What did you 

like„... 

Extension Store - AirBrowse 

a i rb ro wse .we e b ly . co me srte n si o n - sto re . htm f ^ 

Email airbrowse10@gmail.com with a .zip file of your extension. We will then upload 
your extension to the extension store. Create a free website. Powered by ... 



Wait, who's Chris... I thought his name was Makan? 



Digging into IRC operators more: 



©AnonGirl 


AnonGIrl [/^onG\r\\dertt@life.(^ffe!net.uk.to] Jud because 1 have a penis doesnf make me a boy. 




Channels: @^^ronsor 




Connected to server: *. youwikiz.com The Ronsor Illusion 




is an IRC Administrator 




Using a secure connection 

Idle for 17:12:17. signed on 01/022015 
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@Ronsor 


Ronsor [RonsoT\dent@ifGd. youwikiz.com] * ronsof 




Channels: @#rorisor @&debug. ircd.youwikiz.com @&debug. ircd.youwokiz.com 




Connected to sen/er ircd.youwikiz.com C:\Windows\ wina? 




Idle for 18: 31: 18. signed on 01/05/2015 



Purely based on the findings, I can tell it's run by a bunch of immature kids. 
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Resources: 

https://www.google.com/ 
http://whatismyipaddress.com/ 
http://23.245.7.104/ - Sentora 

http://194.68.223.240:7778/login/ - Kloxo MR 6.5.0-f 
http://who.is/domain-history/youwikiz.com 
http://boxc.club/showthread.php?tid=57&pid=294#pid294 
http://webcache.googleusercontent.com/search? 

q=cache:jFNVkdAh2rAJ:techviewhd.freeforums.net/user/6+&cd=l&hl=en& 
ct=clnk&gl=us 

DNS IP 

mail.boxc.club 194.68.223.240 
direct.boxc.club No DNS record 
direct-connect.boxc.club No DNS record 
cpanel.boxc.club No DNS record 
ftp.boxc.club 23.245.7.104 
admin.boxc.club No DNS record 
pop. boxc.club No DNS record 
imap.boxc.club No DNS record 
webmail.boxc.club 194.68.223.240 
forum.boxc.clubNo DNS record 
admin.boxc.club No DNS record 
beta.boxc.club No DNS record 
portal.boxc.clubNo DNS record 
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Credits: 
RTGHM 



